"Don't touch the stove." "Don't run with scissors." As parents, we know that telling kids what not to do is often the fastest way to ensure they do it. So why is our industry's go-to training method still just a list of "Don'ts" called the OWASP Top 10? Do we really expect "Don't do XSS" to be any more effective than "Don't eat that cookie"?

We don't teach people to drive by listing every way to crash a car. Nor do we help developers by handing them 100-page PDF reports filled with security jargon like CVEs and CVSS base scores. Providing that much noise is like enabling compiler warnings, getting 10,000 hits, and immediately disabling them again. It’s not education; it’s a nuisance.

Developers became developers because they had fun solving problems. We used to have "wars" over tabs vs. spaces or where to put a curly bracket—all in the name of readability and craft. Why aren't we having those same passionate discussions about whether string concatenation in a database query is "good code"?

In the 1983 classic WarGames, the computer Joshua famously asked, "Shall we play a game?" It’s time we brought that spirit back to security education. After years of teaching security to developers, I’ve realized our current approach is fundamentally flawed. In this session, I’ll share what actually works to make security stick.